US10699011B2ExpiredUtilityA1

Efficient white listing of user-modifiable files

60
Assignee: MICROSOFT TECHNOLOGY LICENSING LLCPriority: Oct 29, 2004Filed: Jun 28, 2018Granted: Jun 30, 2020
Est. expiryOct 29, 2024(expired)· nominal 20-yr term from priority
G06F 21/562G06F 21/56G06F 15/00
60
PatentIndex Score
0
Cited by
0
References
19
Claims

Abstract

A system and method for efficiently determining that a received file is not malware is presented. In operation, when a file is received at a computing device, an evaluation is made as to whether the file includes user-modifiable, or superficial, data areas, i.e., areas of the file that by their nature do not typically carry or embed malware. If the file includes superficial data areas, those superficial data areas are filtered out and a file signature is generated based on the remaining portions of the received file. The file can then be compared to a list of know malware to determine if the file is malware. Alternatively, the file can be compared to a list of known, trusted files to determine whether the file is trustworthy.

Claims

exact text as granted — not AI-modified
The embodiments of the invention in which an exclusive property or privilege is claimed are defined as follows: 
     
       1. A computer device, comprising:
 a memory to store data and instructions; and 
 at least one processor in communication with the memory; 
 wherein the at least one processor is operable to:
 receive a file with multiple parts, wherein the multiple parts include at least one superficial data area within the file and a plurality of permanent data areas within the file, wherein the at least one superficial data area is different from the plurality of permanent data areas and the at least one superficial data area represents a user data area modifiable by a user whose modification has no effect on potential malware within the plurality of permanent data areas; 
 filter out the at least one superficial data area of the file to define a remaining unfiltered portion of the file, wherein the unfiltered portion of the file includes the plurality of permanent data areas; 
 generate a file signature from only a filtered version of the file based on the remaining unfiltered portion of the file; 
 compare the file signature against file signatures of files included in a list of trusted files; 
 admit the file in response to the file signature matching one of the file signatures included in the list of trusted files; and 
 apply at least one security policy to the file in response to the file signature not matching the file signatures included in the list of trusted files. 
 
 
     
     
       2. The computer device of  claim 1 , wherein the at least one security policy includes one or more of deleting the file, quarantining the file for a period of time, disabling features associated with the file while the file is admitted to a file system, disabling network ability features of the computer device during operation of the file, restricted execution of the file, and purging the file. 
     
     
       3. The computer device of  claim 1 , wherein the at least one processor is further operable to:
 obtain a trust level of the file based at least upon information associated with a matching file signature included in the list of trusted files; and 
 vary admittance of the file in accordance with the trust level. 
 
     
     
       4. The computer device of  claim 3 , wherein the at least one processor is further operable to:
 automatically admit the file in response to a first level of trust; and 
 delay the admittance of the file in response a second level of trust. 
 
     
     
       5. The computer device of  claim 3 , wherein the information is based on a volume of feedback associated with the file. 
     
     
       6. The computer device of  claim 3 , wherein the information identifies whether the file signature was generated based on one or more permanent portions of the files. 
     
     
       7. The computer device of  claim 3 , wherein the information identifies a source of the files in the list of trusted files. 
     
     
       8. The computer device of  claim 3 , wherein the information is based on feedback obtained from one or more users regarding a trustworthiness of the file. 
     
     
       9. The computer device of  claim 1 , wherein the plurality of permanent data areas include at least one of a macro, a template, a style, or an embedded objects. 
     
     
       10. A method executed by a computer device whereby instructions stored upon one or more computer readable media are executed upon one or more processors, comprising:
 receiving a file with multiple parts, wherein the multiple parts include at least one superficial data area within the file and a plurality of permanent data areas within the file, wherein the at least one superficial data area is different from the plurality of permanent data areas and the at least one superficial data area represents a user data area modifiable by a user whose modification has no effect on potential malware within the plurality of permanent data areas; 
 filtering out the at least one superficial data area of the file to define a remaining unfiltered portion of the file, wherein the unfiltered portion of the file includes the plurality of permanent data areas; 
 generating a file signature from only a filtered version of the file based on the remaining unfiltered portion of the file; 
 comparing the file signature against file signatures of files included in a list of trusted files; 
 admitting the file in response to the file signature matching one of the file signatures included in the list of trusted files; and 
 applying at least one security policy to the file in response to the file signature not matching the file signatures included in the list of trusted files. 
 
     
     
       11. The method of  claim 10 , wherein the at least one security policy includes one or more of deleting the file, quarantining the file for a period of time, disabling network ability features of the computer device during operation of the file, restricted execution of the file, and purging the file. 
     
     
       12. The method of  claim 10 , further comprising:
 obtaining a trust level of the file based at least upon information associated with a matching file signature included in the list of trusted files; and 
 varying admittance of the file in accordance with the trust level. 
 
     
     
       13. The method of  claim 12 , wherein varying the admittance of the file further comprises:
 automatically admitting the file in response to a first level of trust; and 
 delaying the admittance of the file in response to a second level of trust. 
 
     
     
       14. The method of  claim 12 , wherein the information is based on a volume of feedback associated with the file. 
     
     
       15. The method of  claim 12 , wherein the information identifies whether the file signature was generated based on one or more permanent portions of the files. 
     
     
       16. The method of  claim 12 , wherein the information identifies a source of the files in the list of trusted files. 
     
     
       17. The method of  claim 12 , wherein the information is based on feedback obtained from one or more users regarding a trustworthiness of the file. 
     
     
       18. The method of  claim 10 , wherein the plurality of permanent data areas include one or more of macros, templates, embedded objects, and applied styles. 
     
     
       19. A non-transitory computer-readable medium storing instructions executable by a computer device, comprising:
 at least one instruction for causing the computer device to receive a file with multiple parts, wherein the multiple parts include at least one superficial data area within the file and a plurality of permanent data areas within the file, wherein the at least one superficial data area is different from the plurality of permanent data areas and the at least one superficial data area represents a user data area modifiable by a user whose modification has no effect on potential malware within the plurality of permanent data areas; 
 at least one instruction for causing the computer device to filter out the at least one superficial data area of the file to define a remaining unfiltered portion of the file, wherein the unfiltered portion of the file includes the plurality of permanent data areas; 
 at least one instruction for causing the computer device to generate a file signature from only a filtered version of the file based on the remaining unfiltered portion of the file; 
 at least one instruction for causing the computer device to compare the file signature against file signatures of files included in a list of trusted files; 
 at least one instruction for causing the computer device to admit the file in response to the file signature matching one of the file signatures included in the list of trusted files; and 
 at least one instruction for causing the computer device to apply at least one security policy to the file in response to the file signature not matching the file signatures included in the list of trusted files.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.